Preliminary security settings for Linux (1)

Not long ago, I downloaded the latest kernel version with great patience, but it was done through the dial-in connection. Throughout the download process, I am eager to use high-speed Internet connections at home one day. The arrival of xDSL and cable cat makes it possible, but this does not include price factors.
At the same time I wrote this article, somewhere in the world, maybe someone was installing and releasing Linux for the first time on his home computer. A new Linux administrator sets an account for his/her family and friends to run the system. In a short period of time after the initial installation, the Linux system may be connected to the Internet with a high-speed DSL that is stimulating.
Still vulnerable to attacks
Today, almost all available linux releases have security vulnerabilities, most of which are easily attacked. However, unfortunately, they are open by Convention and practice. When a typical Linux installation is started for the first time, it provides a variety of services that can be attacked, such as SHELL, IMAP, and POP3. These services are often used by idle users as a starting point for system breakthrough as needed. This is not only a limitation of Linux-the well-experienced commercial UNIX also provides such services, it will also be broken through.
There is no need to complain or blame, and the locking of the new system (professional statement of strong system) is very important. Believe it or not, the robust process of a Linux system does not require too much system security expertise. In fact, you can block 90% of the unreliable factors within five minutes.
Let's get started.
Before starting a solid system, ask yourself about the role of your machine and the comfort of accessing the Internet. You need to carefully determine the services you want to provide to the whole world. If you are not sure yet, it is best not to do anything. It is very important to clarify your own security policies. You need to decide which applications are acceptable and which are unacceptable on your system.
In this article, the goal of the example machine is to use it as a workstation to send and receive mail, read news, and browse Web pages.
Establish Network Service Security
First, log on to the system as a Super User (root) and run the netstat command (this is a standard network tool for most Linux systems) to check the current network status. The output result is as follows:

root@percy / ]# netstat -aActive Internet connections (servers and established)Proto Recv-Q Send-Q Local Address Foreign Address Statetcp 0 0 *:imap2 *:* LISTENtcp 0 0 *:pop-3 *:* LISTENtcp 0 0 *:linuxconf *:* LISTENtcp 0 0 *:auth *:* LISTENtcp 0 0 *:finger *:* LISTENtcp 0 0 *:login *:* LISTENtcp 0 0 *:shell *:* LISTENtcp 0 0 *:telnet *:* LISTENtcp 0 0 *:ftp *:* LISTENtcp 0 0 *:6000 *:* LISTENudp 0 0 *:ntalk *:*udp 0 0 *:talk *:*udp 0 0 *:xdmcp *:*raw 0 0 *:icmp *:* 7raw 0 0 *:tcp *:* 7

As you can see, the initial installation does not listen to a certain number of services, and most of these services are troublesome manufacturers in the configuration file/etc/inetd. conf.
Open this file in your text editor and log out of the services you don't want to provide. You only need to add a ''#'' before the lines that contain the service content ''#'', all the services in this example have been canceled. Of course, if you decide to provide some of these services, it is up to you to decide.
Now, restart inetd to make the changes take effect. There are multiple methods depending on the system. An example is as follows:
Killall-HUP inetd
Re-use netstat to check the open socket and pay attention to the changes.
Next, check which processes are running. Generally, sendmail, lpd, and snmd are waiting for access requests. Therefore, machines do not provide services for any such requests, so they should terminate the operation.
Generally, these services are started by the system initialization script, which may vary depending on the release, and can be found in/etc/init. d or/etc/rc. d. If you are not sure, please refer to the document you used for release. The goal is to prevent scripts from starting these services when the system starts.
If you use a packaging system for Linux release, take some time to remove the services you don't need. In this example, the machine includes sendmail and r header service processes (rwho, rwall, etc.), lpd, ucd-snmp, and apache. This is the easiest way to ensure that such services are not activated accidentally.